ndering what the point of the -enablefips switch is. Shouldn't
> qemu check /proc/sys/crypto/fips_enabled unconditionally instead?
It sounds like we want a compile-time flag that makes it mandatory
instead of optional where it doesn't do a good job of "enforcing" fips
mode. (I
On Tue, Jun 23, 2020 at 11:51:09PM -0400, John Snow wrote:
> I never knew what this option did, but the answer is ... strange!
>
> It's only defined for linux, in os-posix.c. When called, it calls
> fips_set_state(true), located in osdep.c.
>
> This will read /proc/sys/crypto/fips_enabled and set
ole distro. RH specific. rhel-7 kernel has it. rhel-8 kernel
> too, so it probably isn't obsolete. Not present in mainline kernels.
>
> I'm wondering what the point of the -enablefips switch is. Shouldn't
> qemu check /proc/sys/crypto/fips_enabled unconditionall
it. rhel-8 kernel
> too, so it probably isn't obsolete. Not present in mainline kernels.
>
> I'm wondering what the point of the -enablefips switch is. Shouldn't
> qemu check /proc/sys/crypto/fips_enabled unconditionally instead?
The switch feels rather silly to me
in mainline kernels.
I'm wondering what the point of the -enablefips switch is. Shouldn't
qemu check /proc/sys/crypto/fips_enabled unconditionally instead?
> (Tangent: what does *this* setting actually control? Should QEMU
> meaningfully change its behavior when it's set?)
I never knew what this option did, but the answer is ... strange!
It's only defined for linux, in os-posix.c. When called, it calls
fips_set_state(true), located in osdep.c.
This will read /proc/sys/crypto/fips_enabled and set the static global
'fips_enabled' to true if this setting is on.
(Tang
